FKIE_CVE-2026-23499

Vulnerability from fkie_nvd - Published: 2026-01-21 22:15 - Updated: 2026-01-29 18:19
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.
References
security-advisories@github.comhttps://docs.saleor.io/security/#restricted-file-uploadsProduct
security-advisories@github.comhttps://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99Patch
security-advisories@github.comhttps://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10Patch
security-advisories@github.comhttps://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335Patch
security-advisories@github.comhttps://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261cPatch
security-advisories@github.comhttps://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24Patch
security-advisories@github.comhttps://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95Vendor Advisory
Impacted products
Vendor Product Version
saleor saleor *
saleor saleor *
saleor saleor *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F684302-13A5-4BD3-B546-3AB0297C0CF8",
              "versionEndExcluding": "3.20.108",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDC53D16-03D0-4360-B155-4EDE149A2C18",
              "versionEndExcluding": "3.21.43",
              "versionStartIncluding": "3.21.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7BCEDB3-50C9-46CC-A3A7-564F00D76570",
              "versionEndExcluding": "3.22.27",
              "versionStartIncluding": "3.22.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user\u0027s browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src \u0027none\u0027; base-uri \u0027none\u0027; frame-ancestors \u0027none\u0027; form-action \u0027none\u0027;`."
    },
    {
      "lang": "es",
      "value": "Saleor es una plataforma de comercio electr\u00f3nico. A partir de la versi\u00f3n 3.0.0 y antes de las versiones 3.20.108, 3.21.43 y 3.22.27, Saleor permit\u00eda a los usuarios de personal autenticados o a las aplicaciones (Apps) subir archivos arbitrarios, incluyendo archivos HTML y SVG maliciosos que conten\u00edan Javascript. Dependiendo de la estrategia de despliegue, estos archivos pueden ser servidos desde el mismo dominio que el panel de control sin restricciones, lo que lleva a la ejecuci\u00f3n de scripts maliciosos en el contexto del navegador del usuario. Miembros del personal maliciosos podr\u00edan crear inyecciones de scripts para atacar a otros miembros del personal, posiblemente robando sus tokens de acceso y/o de actualizaci\u00f3n. Los usuarios son vulnerables si alojan los archivos multimedia dentro del mismo dominio que el panel de control, p. ej., el panel de control est\u00e1 en \u0027example.com/dashboard/\u0027 y los medios est\u00e1n bajo \u0027example.com/media/\u0027. No tienen impacto si los archivos multimedia est\u00e1n alojados en un dominio diferente, p. ej., \u0027media.example.com\u0027. Los usuarios tienen impacto si no devuelven una cabecera \u0027Content-Disposition: attachment\u0027 para los archivos multimedia. Los usuarios de Saleor Cloud no tienen impacto. Este problema ha sido parcheado en las versiones: 3.22.27, 3.21.43 y 3.20.108. Algunas soluciones provisionales est\u00e1n disponibles para aquellos que no pueden actualizar. Configure los servidores que alojan los archivos multimedia (p. ej., CDN o proxy inverso) para que devuelvan la cabecera Content-Disposition: attachment. Esto indica a los navegadores que descarguen el archivo en lugar de renderizarlo en el navegador. Evite que los servidores devuelvan archivos HTML y SVG. Configure una \u0027Content-Security-Policy\u0027 para los archivos multimedia, como \u0027Content-Security-Policy: default-src \u0027none\u0027; base-uri \u0027none\u0027; frame-ancestors \u0027none\u0027; form-action \u0027none\u0027;\u0027."
    }
  ],
  "id": "CVE-2026-23499",
  "lastModified": "2026-01-29T18:19:14.347",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T22:15:49.703",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://docs.saleor.io/security/#restricted-file-uploads"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.